WordPress Third-Party Plugin Approval Process Policy

Updated Sept 5, 2024

1. Introduction

This policy outlines the approval process for third-party WordPress plugins within the UA WordPress Environment. The aim of this process is to ensure that all plugins are secure, functional, and aligned with our goals and standards. By following this process, we aim to maintain the quality and integrity of our WordPress ecosystem. These steps may be completed in a different order than they are listed here.

2. Request and Evaluation Process

When a request is made for a new feature or a specific plugin, it’s important for the requestor to be aware that the plugin approval process is comprehensive and can be time-intensive. Currently, the average approval process time is 4 weeks, but the process can take longer under some circumstances. This duration accounts for the various stages involved, from initial assessment to final deployment on our website. The following steps will be taken to evaluate the request:

2.1. Initial Evaluation Questions

Before proceeding with the evaluation, the requestor should complete the web request form to provide a clear understanding of the plugin’s purpose and potential impact. WordPress team staff will follow up with the following questions:

• Who is requesting this plugin?
  • Name
  • Email address
• What site(s) should this plugin be activated on?
• Which plugin (or plugins) are being submitted for review?
• What problem does this plugin aim to solve and for what audience?
• How will the success of the plugin be measured?
• Is there a subscription or licensing fee?
• How soon do you intend to begin using the plugin? Is this a hard deadline? (Please note the plugin approval timeline in the Third-Party Plugin Request Policy [link].)

2.2. Feature Assessment

The requested plugin’s feature list will be reviewed to ensure alignment with the stated goals and audience.

• Must-have features will be identified, ensuring they directly address the intended purpose of the plugin.
• Desirable features will also be considered, but they won’t be the sole basis for approval.

2.3. Technical Review

The technical review process involves assessing the plugin’s code quality, security, and performance.

• The plugin’s code should be well-written, adhering to best practices.
• Object-oriented PHP (OOP) is preferred, promoting maintainability and scalability.
• Code will be evaluated using tools such as Code Climate, aiming for a minimum quality score.
• Security checks will be performed using tools like Snyk to identify vulnerabilities.
• The plugin should not utilize functions like eval() and should not have obvious security vulnerabilities.
• The plugin code will be checked for SQL commands that might negatively impact our database. This is done by searching the plugin codebase for terms like wpdb and sql. If SQL commands are present, the probationary period will be used to assess impact.

2.4. Usage and Compatibility

The plugin’s compatibility and usage will be examined:

• The plugin should be tested on the latest version of WordPress.
• Support for modern PHP versions is expected.
• The plugin should have a substantial user base, preferably with at least 10,000 active installations.
• An average rating of at least 4, along with minimal open issues, is preferred.
• The plugin should be actively maintained and well-supported.
• The plugin must be multisite compatible, with necessary functionality available to non-Super Admin users. 

2.5. Additional Considerations

• If the plugin involves front-end components, its impact on website performance and accessibility will be assessed.
• If the plugin serves a purpose for multiple sites, it will be evaluated for broader utility. As a general rule, the more broadly useful a plugin is, the more likely is to be added to the environment.
• Any requirements for our involvement beyond installation will be discussed. Additional requirements may extend the approval/deployment timeline.
• Existing plugins similar to the requested one will be researched to ensure the requested plugin is the best solution.

2.6. Security and Accessibility

Plugins that handle sensitive data or have a significant impact on user experience will undergo additional review:

• Plugins will be reviewed by the Security and Accessibility teams if necessary. Identified security and/or accessibility issues may extend the timeline or cause the plugin request to be denied.

3. Installation and Testing

The plugin will be installed and tested in the following manner:

• Installation on a local environment for initial testing.
• Installation on the DEV/UAT server for further testing and validation.
• Compatibility with existing themes and plugins will be determined.

If incompatibility between the requested plugin and existing themes and plugins is found, this conflict will be evaluated and discussed by stakeholders to determine whether the plugin can still be used, or if another plugin needs to be considered.

4. Probationary Period

All newly installed plugins will enter a probationary period of approximately three months. During this time, the plugin’s performance will be monitored to assess any negative impact on site speed, stability, and overall functionality. Plugins that show significant issues may be subject to removal or further review.

5. Evaluation and Governance

Upon completing the technical evaluation, approved plugins will not only be shared with the requestor but also evaluated by the WordPress Governance Group, ensuring alignment with broader organizational goals and standards.

6. Documentation and Communication

Once a network-wide plugin is approved and successfully installed, necessary documentation detailing its features, installation process, and usage instructions will be added to our support website at wordpress.wfu.edu on the same day that the plugin is made available to users. This documentation will serve as a resource for the community, aiding in the seamless adoption and utilization of the new plugin. Additionally, the approval and availability of the plugin will be communicated to the community through appropriate channels, ensuring transparency and awareness.

7. Collaboration with Developers

We encourage collaboration with third-party plugin developers to share insights, improvements, and solutions. However, expectations may differ between code developed in-house and code for third-party plugins. Clear communication and alignment on expectations are vital for successful collaboration.

8. Conclusion

By adhering to this plugin approval process, which may span over a period of up to two to three months, our objective is to uphold a secure, top-tier, and streamlined WordPress ecosystem that effectively fulfills our organizational objectives and user requirements. This structured procedure guarantees that third-party plugins align with our rigorous benchmarks encompassing code quality, security, performance, and compatibility.